--- apiVersion: apps/v1 kind: Deployment metadata: name: backend namespace: notes labels: app: backend spec: replicas: 1 selector: matchLabels: app: backend template: metadata: labels: app: backend service: main annotations: traffic.sidecar.istio.io/excludeOutboundPorts: "8200" vault.hashicorp.com/agent-init-first: "true" vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/auth-path: auth/kubernetes vault.hashicorp.com/role: notes vault.hashicorp.com/agent-inject-secret-notes-db: secrets/data/postgresql/apps/notes vault.hashicorp.com/agent-inject-template-notes-db: |- {{- with secret "secrets/data/postgresql/apps/notes" -}} PG_HOST=postgresql.notes.svc.cluster.local PG_PORT=5432 PG_DB=notes_db PG_LOGIN={{ index .Data.data "username" }} PG_PASSWORD={{ index .Data.data "password" }} {{- end -}} vault.hashicorp.com/agent-inject-secret-notes-django-auth: secrets/data/vault/common/django_auth vault.hashicorp.com/agent-inject-template-notes-django-auth: |- {{- with secret "secrets/data/vault/common/django_auth" -}} DJANGO_TOKEN={{ index .Data.data "key" }} {{- end -}} vault.hashicorp.com/agent-inject-secret-notes-rabbitmq: secrets/data/rabbitmq/apps/notes vault.hashicorp.com/agent-inject-template-notes-rabbitmq: |- {{- with secret "secrets/data/rabbitmq/apps/notes" -}} NOTES_RABBITMQ_VHOST={{ index .Data.data "vhost" }} NOTES_RABBITMQ_USERNAME={{ index .Data.data "username" }} NOTES_RABBITMQ_PASSWORD={{ index .Data.data "password" }} NOTES_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local NOTES_RABBITMQ_PORT=5672 {{- end -}} vault.hashicorp.com/agent-inject-secret-notes-s3: secrets/data/minio/apps/notes vault.hashicorp.com/agent-inject-template-notes-s3: |- {{- with secret "secrets/data/minio/apps/notes" -}} NOTES_S3_ENDPOINT={{ index .Data.data.client "endpoint" }} NOTES_S3_REGION={{ index .Data.data.client "region" }} NOTES_S3_BUCKET=notes NOTES_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} NOTES_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} {{- end -}} vault.hashicorp.com/agent-inject-secret-notes-kafka: secrets/data/kafka/apps/notes vault.hashicorp.com/agent-inject-template-notes-kafka: |- {{- with secret "secrets/data/kafka/apps/notes" -}} NOTES_KAFKA_BOOTSTRAP_SERVERS={{ index .Data.data.auth "bootstrap_servers" }} NOTES_KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }} NOTES_KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }} NOTES_KAFKA_USERNAME={{ index .Data.data "username" }} NOTES_KAFKA_PASSWORD={{ index .Data.data "password" }} {{- end -}} spec: serviceAccountName: notes-vault containers: - name: main image: cr.yandex/crp3ccidau046kdj8g9q/notes-backend:production_81366854 imagePullPolicy: IfNotPresent command: ["/bin/bash", "-ec"] args: - | set -a [ -f /vault/secrets/notes-db ] && . /vault/secrets/notes-db [ -f /vault/secrets/notes-django-auth ] && . /vault/secrets/notes-django-auth [ -f /vault/secrets/notes-rabbitmq ] && . /vault/secrets/notes-rabbitmq [ -f /vault/secrets/notes-s3 ] && . /vault/secrets/notes-s3 [ -f /vault/secrets/notes-kafka ] && . /vault/secrets/notes-kafka set +a exec /bin/bash /opt/entrypoint.sh ports: - name: http containerPort: 8000 protocol: TCP env: - name: PG_SSL_MODE value: verify-full - name: DJANGO_HOST value: https://lk.sarex.io - name: BASE_HOST value: https://api.sarex.io/notes - name: TIMEOUT value: "120" - name: FAAS_SERVICE value: https://api.sarex.io/lambdas - name: WORKSPACE_URL value: https://api.sarex.io/workspaces/api/v1 - name: WORKFLOW_HOST value: https://api.sarex.io/workflows/api/v1 - name: WORKFLOW_TAG value: stable - name: RESOURCE_URL value: https://api.sarex.io/resources/api/v1 - name: SYNC_RESOURCE_ID value: "0" - name: ENABLE_ND value: "0" - name: ATTACHMENT_HOST value: http://attachments-service.attachments.svc.cluster.local:80/api/v1 - name: PG_PORT value: "5432" resources: requests: cpu: "25m" memory: 128Mi imagePullSecrets: - name: regcred